Argentinian Companies Still Have a Long Way to Go in Defense of Their Users’ Privacy, Second “Who Defends Your Data” Report Shows

Argentinian civil rights group Asociación por los Derechos Civiles (ADC) has just launched its second edition of the ¿Quien Defiende Tus Datos? (Who Defends Your Data?) report, rating nine companies’ commitments to transparency and user privacy.

Argentinian companies are off to a good start but still have a long way to go to fully protect their customers’ personal data and be transparent about who has access to it. This years’ report shows Telefónica-Movistar taking the lead, followed far away by Telecentro, IPLAN, Claro. This was the first year Claro was included in the Argentina report and it presented poor results compared to its evaluation in other countries in which it operates, such as Chile and Brazil. This year, two companies from the previous report have merged, Fibertel (Cablevisión) and Arnet (Telecom), leading to a concentration of 68% of the fixed broadband market in just one firm.

This year’s edition also rates for the first time the three most popular delivery service apps – Glovo, Pedidos Ya, and Rappi – which represent a growing market in the country and similarly deal with sensitive details about peoples’ habits. Rappi is the best ranked among them.

Regarding ISPs, the scores are similar to the first edition with a few notable improvements, such as IPLAN’s release of a privacy policy.

The final results of the report are below.  The full study, including details about each company, is available in Spanish

Evaluation Criteria for ¿Quién Defiende tus Datos? Argentina

This year’s report assesses companies’ policies in six areas:

Privacy Policy: A company’s privacy policy should be easy to find and to understand, and should tell users which data is being collected, and for how long the company stores it. The privacy policy should cover consent, information, and data accuracy obligations, data subject’s rights (like right of access to personal data and how it may be exercises), and whether the company’s databases are registered within the data protection authority. The privacy policy should also state when and how the company will inform users of any changes to the policy.

Transparency: Companies should publish periodic transparency reports that are accessible to the public, and detail how many government requests have been received, complied with, and rejected.

Notification: Companies should commit to notifying users of government data demands, and Bonus points if they do the notification a priori.

Judicial Order: Companies should require investigation authorities to obtain a court order before handing over data, and should commit to this standard for metadata requests as well.

Law Enforcement Guidelines: Companies should have publicly available guidelines for law enforcement requests, including detailed information considering the local legal context.

Promotion and Defense of Human Rights: Companies should judicially resist data requests that are excessive and do not comply with legal requirements, and should promote policy, legislative, and other initiatives to foster users’ privacy and data protection.

Main findings

Delivery service apps rate better than ISPs in privacy policies, but don’t show many stars in other criteria. The exception is the judicial order category, in which Glovo y PedidosYa stipulate handing over personal data when required by law, by the competent authorities, or following “prior legal request.” However, they don’t clarify which requirements should be met or which type of legal request is needed. Even so, they still rank ahead of Telecentro, IPLAN, and Claro in this parameter. Fibertel/Telecom stands out with a half-star for committing to request a judicial order before handing over personal data. The company didn’t receive the full score since it seems to state that law could authorize law enforcement access data even without a court order. It does not detail the legal grounds or which data could be handed regardless of a warrant..

Fibertel/Telecom and Rappi are the only ones that fully accomplish the parameters assessed for privacy policies.

As for the transparency category, no company received the maximum score. Movistar earned a half-star for publishing periodic transparency reports showing the number of requests received, approved, and rejected. However, the report isn’t easily accessible for Argentinian users, for it is only available on the parent company’s website. Likewise, AT&T, DirecTV’s parent company, also scored a half-star for publishing periodic transparency reports, which are scantily summarized for requests received outside the U.S. It doesn’t clarify, for example, if the total number reported for Argentina relates to all the requests received or only the ones the company responded to.

Both companies also received a half-star in the notification category. DirecTV states that, whenever possible, it will make efforts to notify users about personal information requests by “competent authorities.” Yet, the language used leaves a wide room for discretion as well as failing to clarify if the notification will take place before or after handing the information to authorities. Movistar simply states it will notify users about the requests received “to the extent allowed by law and procedural rules.” The company omits any further details on how it understands and applies such legal and procedural rules, failing to specify in which situations users are notified, and when it occurs beforehand or after the fact.

This project is part of a larger initiative across Latin America and Spain. EFF’s Who Has Your Back? has held U.S. internet companies accountable for their privacy policies and practices for nearly a decade. Since 2015, EFF’s partners around the world are doing the same, and we’ve seen great achievements so far. We’ll continue monitoring companies’ commitments and practices.